From 0f5182d0c630dc77777c00cabe485f700881dcf9 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 22 Mar 2025 16:47:19 +0000 Subject: [PATCH] Update module golang.org/x/net to v0.36.0 [SECURITY] (v10.0/forgejo) (#7303) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) | require | minor | [`v0.33.0` -> `v0.36.0`](https://cs.opensource.google/go/x/net/+/refs/tags/v0.33.0...refs/tags/v0.36.0) | --- > ⚠️ **Warning** > > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net [CVE-2025-22870](https://nvd.nist.gov/vuln/detail/CVE-2025-22870) / [GHSA-qxp5-gwg8-xv66](https://github.com/advisories/GHSA-qxp5-gwg8-xv66) / [GO-2025-3503](https://pkg.go.dev/vuln/GO-2025-3503)
More information #### Details Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied. #### Severity Unknown #### References - [https://go.dev/cl/654697](https://go.dev/cl/654697) - [https://go.dev/issue/71984](https://go.dev/issue/71984) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2025-3503) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)).
--- ### HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net [CVE-2025-22870](https://nvd.nist.gov/vuln/detail/CVE-2025-22870) / [GHSA-qxp5-gwg8-xv66](https://github.com/advisories/GHSA-qxp5-gwg8-xv66) / [GO-2025-3503](https://pkg.go.dev/vuln/GO-2025-3503)
More information #### Details Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied. #### Severity - CVSS Score: 4.4 / 10 (Medium) - Vector String: `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2025-22870](https://nvd.nist.gov/vuln/detail/CVE-2025-22870) - [https://go-review.googlesource.com/q/project:net](https://go-review.googlesource.com/q/project:net) - [https://go.dev/cl/654697](https://go.dev/cl/654697) - [https://go.dev/issue/71984](https://go.dev/issue/71984) - [https://pkg.go.dev/vuln/GO-2025-3503](https://pkg.go.dev/vuln/GO-2025-3503) - [http://www.openwall.com/lists/oss-security/2025/03/07/2](http://www.openwall.com/lists/oss-security/2025/03/07/2) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-qxp5-gwg8-xv66) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
--- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - "* 0-3 * * *" (UTC). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7303 Reviewed-by: Earl Warren Co-authored-by: Renovate Bot Co-committed-by: Renovate Bot --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 7b0119ba01..12d2c3803b 100644 --- a/go.mod +++ b/go.mod @@ -103,7 +103,7 @@ require ( go.uber.org/mock v0.4.0 golang.org/x/crypto v0.35.0 golang.org/x/image v0.23.0 - golang.org/x/net v0.33.0 + golang.org/x/net v0.36.0 golang.org/x/oauth2 v0.27.0 golang.org/x/sync v0.11.0 golang.org/x/sys v0.30.0 diff --git a/go.sum b/go.sum index 859f93f9f1..1c8e75c1ff 100644 --- a/go.sum +++ b/go.sum @@ -1631,8 +1631,8 @@ golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= -golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I= -golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4= +golang.org/x/net v0.36.0 h1:vWF2fRbw4qslQsQzgFqZff+BItCvGFQqKzKIzx1rmoA= +golang.org/x/net v0.36.0/go.mod h1:bFmbeoIPfrw4sMHNhb4J9f6+tPziuGjq7Jk/38fxi1I= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=